We have a security/compliance audit that we are preparing for and since we deal with financial institutions, one of the potential flags mentioned was how we track/monitor files that are transferred between our Production and Non-Production environments.
We run a Windows shop. Our IT dept. (the Domain Admins) have access to both our PROD and Non-Prod (Corporate) domains. When builds or files need to be pushed to production, IT is required to perform any file transfers.
To satisfy this requirement we were asked to look at a number of DLP solutions which are turning out to be relatively costly.
We have also explored potentially requiring the IT team to use some sort of FTP or Managed File Transfer system in order to move files between the environments, but that just seems cumbersome.
Are there any other potential solutions we can explore here? The main requirement is that we have some sort of TRACKING or LOGGING of any files copied between the environments. Aside from doing a giant "DIFF" of the environments at the end of each day, not sure what we can do.
Answer
There are many ways to track file movement between systems and environments. However, this is not really a technology product situation. This is a business process and information security situation. Even if you buy a really expensive DLP, you need the policies, processes, and audits to make it meaningful. (See my closing note.)
Rather than waste a bunch of time and money researching shiny things to spend money on, I suggest you check out the Information Security site to get more guidance on this topic.
Once you have a good grasp on the goals of a good segregation of dev, test, and ops environments and "separation of duties" you will likely recognize that the technical problems are not that hard. They sure don't sound hard for what you have described.
I would recommend:
- Solid policies for access control, roles and responsibilities, and separation of duties between the PROD and DEV environments.
- Sufficient event monitoring and auditing for PROD environment at minimum. Better if it exists in both environments.
- Standard Operating Procedures for how the responsible parties (your IT dept.) are supposed to receive, verify, transport, and implement code or file changes in PROD.
Then you can go buy the shiny if it makes number 3 easier/faster/more cost effective.
< rant >
An initial response of "let's buy something to satisfy an audit requirement" is almost always a long term business or security FAIL. It drives the compliance part of the IT industry, but it won't help you much with actual security and will probably cost you more in the long run.
No comments:
Post a Comment